whitelist - unintentional changes (paypal added)

[alexx]

Ciao,

today I found two paypal related entries (paypal.com and another) in the whitelist, which I did not add myself.
I do not know how this happened and I am not happy with that.
If the whitelist is changed without my knowledge, it loses its original idea and purpose.
I updated NoScript to 2.1.1.2 yesterday, so maybe that is the reason, or something malicious changed my settings, what would be scary.

NoScript comes with useful default settings for the whitelist, this is a good thing. But if the whitelist has been changed by an update, not informing me in a recognizable way, injecting some commercial domain, this breaches my intentional security settings, and is not understandable for me.

This wonderful addon is made or restricting, it is extremely useful in todays web experience.
But I do not think that the whitelist should be changed unintentional, disabling the previous restriction settings.

So, if the update changed the setting, I am 50% happy, as the reason is known.
To make me 100% happy, I would like to ask to not change an existing whitelist without making it very clear to the user.

regards,
alex

[Giorgio Maone]

All the changes have been made by this code:

Code: Select all

onVersionChanged: function(prev) {
    // update hacks
    if (this.versionComparator.compare(prev, '2.1.1.2rc6') < 0) {
      // this is a one-time merge of the default whitelist with the live whitelist
      // when sites originally included in the default list *and still in the live whitelist* 
      // (i.e. not explicitly removed by the user) depend, to work properly, on resources
      // which have been added more recently and otherwise would be whitelisted for
      // new users only (leaving upgraders to guess what breaks previously working websites)
      const cascading = {
        "hotmail.com": ["wlxrs.com"], // required by Hotmail/Live webmail
        "google.com": ["googleapis.com", "gstatic.com"], // required by most Google services and also by external resources
        "addons.mozilla.org": ["paypal.com", "paypalobjects.com"] // required for the "Contribute" AMO feature not to break badly with no warn
      };
      for (let site in cascading) {
        if (this.isJSEnabled(site)) {
          let newSite = cascading[site];
          this.jsPolicySites.remove(newSite, true, false);
          this.setJSEnabled(newSite, true);
        }
      }
    }
  }

Please look at the comments above for the rationale behind this choice (keeping usability of sites which are already in the user-customized whitelist, after the sites modified their requirements in hard-to-diagnostic ways).

The changes were also documented in the changelog / release notes page and, if reversed, are not reapplied.

[Alan Baxter]

if reversed, are not reapplied.

Confirmed.

[alexx]

Ah, I see. Thank you for your passion with that. I was not aware that you take so much care to not brake user experience, specifically in the case when popular sites change their requirements. This is a good thing :)
As neither hotmail nor google (only gstatic) are whitelisted here, I just saw the paypal entries. The only problem with that is that the whitelist is valid for the whole browser session, not domain related to a tab. But this is by design, and I see that a decision had to be taken, concerning the page changes.

Thanks for the good explanation (code).

regards,
alex